General Questions

Hi,

I have an ALIX 2D3 LX800 running version 1.33 setup for use in a network with WAN and LAN which is running beautifully.

I basically would like the ability to have a DMZ network with limited access to LAN (DNS, Active Directory authentication and NTP), but full WAN access out for the Proxy, and a separate subnet for Visitor access with DHCP with access only to the WAN with limited ports (HTTP/HTTPS/FTP and some VPN rules) but just using the 3-NIC device?

I've attempted to use the Secondary IP address on the OPT1 interface with some limited success, but wondered if this is down to the limited functionality of the seconday IP feature?

I've basically performed the following for the 3rd NIC on the ALIX

OPT1 - Primary IP 192.168.212.254/24 with a DHCP scope on the subnet (DHCP seems to work great) - This was to be a Visitor LAN
OPT1 - Secondary IP 192.168.202.254/24 - This was to be a DMZ LAN

Added rules to allow all LAN to DMZ on the LAN firewall rules, and vice-versa on the OPT1 firewall rules.

Added a proxy into the DMZ lan range as static address 192.168.202.52 with gateway as 192.168.202.254. Can ping mono secondary IP from proxy, and vice versa.

Tried pinging the proxy IP from a machine on the LAN but got constant TTL timeouts, and couldn't get back the other way either.

Managed to get ping working by disabling the Spoof Checking as the logs were saying that device not on LAN and no ARP were shown in the table. I could then ping from the LAN to the proxy when the spoof checking was disabled. Ping from the proxy to LAN (or any other IP outside of the physical interface) doesn't work though.

However, I could get to the web management interface for the proxy via the LAN so started my configuring for WAN & LAN access as some things seem to work.

I've got rules in place to allow any traffic both ways from LAN to OPT1 (DMZ lan) and from OPT1 (DMZ lan) to LAN, but when trying to configure access from the Proxy for NTP updates via our local LAN, I get deny rules appear? Its the same with any valid rules I have in place for the secondary IP via OPT1 interface?

As some tests, rules from LAN to DMZ work as expected (for example, icmp traffic from my LAN to Proxy set to block work okay and come back when allowed) and the logs show as permitted traffic. But traffic coming from the OPT1 DMZ appear as blocked traffic

It just seems to be that the rules only appear to work one way? i.e traffic from the LAN to the OPT1 interface.

Is there anything i'm missing? some additional routes needed from the secondary network, etc?

Or am I being over ambitious using the secondary IP to effectively create 2 separate networks on the same interface with the present version?

Any help or info is most grateful.

Kind Regards
John

anything on this?

I would use a more conventional setup with the three interfaces - WAN, LAN, and OPT1 for DMZ.

Hi, 
I need to have a secondary LAN subnet.  I am not concerned with firewalling only useing for NAT.
I have tried 2ndary lan ip - i can ping the secondary IP but  no where else.
I have tried adding a opt port but that does not respond to pings.

Any suggestions.

thank you